In order to develop a driver for lab project , I try to review code in WDK source. After a very short view , I found there are some example code which are worthy to read.For example, In source code of Minifilter Driver(scanner.c), the author state that "This filter scans the data in a file before allowing an open to proceed. This is similar to what virus checkers do."
Minifilter can ....
To use Minifilter , first we need to construct a FLT_REGISTRATION structure.Here is examples in WDK.
const FLT_REGISTRATION FilterRegistration = {
sizeof( FLT_REGISTRATION ), // Size
FLT_REGISTRATION_VERSION, // Version
0, // Flags
ContextRegistration, // Context Registration.
Callbacks, // Operation callbacks
ScannerUnload, // FilterUnload
ScannerInstanceSetup, // InstanceSetup
ScannerQueryTeardown, // InstanceQueryTeardown
NULL, // InstanceTeardownStart
NULL, // InstanceTeardownComplete
NULL, // GenerateFileName
NULL, // GenerateDestinationFileName
NULL // NormalizeNameComponent
};
Third member of FLT_REGISTRATION is an FLT_CONTEXT_REGISTRATION which define context type. And Callbacks is an FLT_OPERATION_REGISTRATION structure to register call back operator.Following is examples of this two structure.
const FLT_CONTEXT_REGISTRATION ContextRegistration[] = {
{ FLT_STREAMHANDLE_CONTEXT,
0,
NULL,
sizeof(SCANNER_STREAM_HANDLE_CONTEXT),
'chBS' },
{ FLT_CONTEXT_END }
};
[structure explain]
const FLT_OPERATION_REGISTRATION Callbacks[] = {
{ IRP_MJ_CREATE,
0,
ScannerPreCreate,
ScannerPostCreate},
{ IRP_MJ_CLEANUP,
0,
ScannerPreCleanup,
NULL},
{ IRP_MJ_WRITE,
0,
ScannerPreWrite,
NULL},
{ IRP_MJ_OPERATION_END}
};
[structure explain]
The most interesting part is ScannerPostCreate function.Then we move to ScannerPostCreate function and take a look.
This function check file extension then call ScannerpScanFileInUserMode function. If the return value safe, then we leave it for write check.Otherwise , use FltCancelFileOpen to cancel file open operator.
In function ScannerpScanFileInUserMode , it calls FltReadFile function to read file content to buffer then pass it to user space by FltSendMessage.And user space program is responsible for scanning the content.
[How to communicate between user space and kernel space]